RE: NDR +Hotmail & MSN
From: Tom Vande Stouwe (tomv_at_conpro.net)
Date: 08/09/04
- Previous message: David Pick: "Re: NDR +Hotmail & MSN"
- In reply to: David Pick: "Re: NDR +Hotmail & MSN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Mon, 9 Aug 2004 13:14:35 -0400
I resolved this issue by placing a spam filter at the reception point,
instead of a standard SMTP server. I use a product called 'Fluffy' (See
sourceforge.net for bits and source). It uses a configurable combination of
RBL and SpamTraps to filter and block spammers. The nicest feature is the
dictionary attack block. If a sender send a message to an address in the
spam trap, all messages from that site are blocked for a configurable period
of time, bounce notices can be generated or suppressed, and RBL's can be
tweaked to produce the best results.
Tom
Tom Vande Stouwe, MCP, MCAD.Net, MCSD.Net, MCT
"I'm a great believer in luck, and I find the harder I work, the more I have
of it." ....Thomas Jefferson (another great Thomas ;) )
-----Original Message-----
From: David Pick [mailto:D.M.Pick@qmul.ac.uk]
Sent: Saturday, August 07, 2004 6:57 PM
To: Hoover, James A (EIS, Corp)
Cc: 'incidents@securityfocus.com'
Subject: Re: NDR +Hotmail & MSN
Hoover, James A (EIS, Corp) wrote:
> I'm troubleshooting a problem which I believe is related to how Hotmail
and
> MSN handle NDR responses. I cannot get the problem resolved through
> Hotmails normal channels of just shunting customers to a web page to see
if
> they are blacklisted. Can anyone provide a contact at hotmail or MSNs NOC
> offline of this mailing list? I might just name my 2nd born after anyone
> who does (too late for the 1st born -but I can consider a name change if
> necessary:o). Additionally, if anyone knows how Hotmail/MSN/webtv respond
> to NDRs (that are in response to spam from those domains), I'm very
> interested.
>
> Thanks in advance for any help,
Not at all sure it's much help, but we had a problem recently where
some kind soul sent us a whole slew of EMail messages to addresses
in our domain with the user names fairly obviously taken from some
dictionary (a few were valid, most were not). The "From" addresses
were randomly-generated "homail" addresses. We currently operate a
system where we try and return a "helpful" message to the sender
by looking up half-way plausible but unknown EMail addresses in
the site directory and giving enough information to enable the
sender to choose a vali address from those which sound like the
one they gave. Unfortunatly we accept the message before we do
this and send the response as a "bounce report" from us. The result,
of course, is a stream of messages to\ various invalid "hotmail"
addresses all from us ... so they block us.
Following advice from our local CERT, the only action we took
was to delete the "bounce" reports that were building up in our
queues (because "hotmail" were no longer accepting messages).
They started again after about 3 days and by then the messages
still in our queues were (mostly) valid ones so we did not get
blocked again...
As I understand it the actions at "hotmail" are automatic and
it is difficult to release such blocks "by hand" early. OTOH
only our normal EMail servers were blocked, so if we had really
cared very much we could have changed the IP addresses of the
servers so the new ones would not have been blocked.
Longer term, since this sort of thing will become more common,
we'll have to change our EMail system to reject invalid local
addresses before accepting the message, which means our "bounce"
reports will have to generated by the site tryng to send the
message to us and hence *we* won't get blocked. Unfortunatly
it also means that the reports will have to be less useful to
real people. Sigh.
-- David Pick
- Previous message: David Pick: "Re: NDR +Hotmail & MSN"
- In reply to: David Pick: "Re: NDR +Hotmail & MSN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
